{ config, lib, ... }:
with lib;
{
  security.pam.services.login = {
    failDelay.enable = true;
    logFailures = true;
    rules = with config.security.pam.services.login.rules; {
      account.faillock = {
        inherit (auth.faillock) enable;
        args = [];
        inherit (auth.faillock) control;
        inherit (auth.faillock) modulePath;
        order = account.unix.order - 50;
      };
      auth = {
        faillock.args = [ "preauth" ];
        faillock-fail = {
          inherit (auth.faillock) enable;
          args = [ "authfail" ];
          inherit (auth.faillock) control;
          inherit (auth.faillock) modulePath;
          order = auth.unix.order + 50;
        };
      };
    };
  };
}
